[ Solved ] Wireguard handshake OK but there is no internet access

Hello All and Thanks,

I given openvpn a go and freedombox has been perfect ! Now it Wireguard.

My setup is Debian 11 and it as been install with:
DEBIAN_FRONTEND=noninteractive apt install freedombox

On a VPS and ufw as been disabled.

Wireguard handshake is OK but there is no internet access. I can not ping the freedombox server with wireguard server ip address 10.84.0.1 from the client 10.84.0.2

Below I have copy and paste some of the network information for my setup. I have look into the var log of freedombox but I could not see any thing of interest.

Any pointer welcome !

Regards: peter

VPS Server

ip addr show

 wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.84.0.1/24 brd 10.84.0.255 scope global noprefixroute wg0
       valid_lft forever preferred_lft forever
    inet6 fe80::a96a:4ed5:fc87:9b35/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         216.238.78.1    0.0.0.0         UG    100    0        0 enp1s0
10.84.0.0       0.0.0.0         255.255.255.0   U     50     0        0 wg0
10.84.0.2       0.0.0.0         255.255.255.255 UH    50     0        0 wg0
169.254.169.254 216.238.78.1    255.255.255.255 UGH   100    0        0 enp1s0
216.238.78.0    0.0.0.0         255.255.254.0   U     100    0        0 enp1s0

wg show

interface: wg0
  public key: ZRcbHrG76JZW2plqFHDZ8e5N/LntixqUFObZnvVXciI=
  private key: (hidden)
  listening port: 51820

peer: 7w6acekKkI6YIKYcofEEFyTgZ4FonkxUuiTNMrDF2G0=
  endpoint: 78.146.78.211:57753
  allowed ips: 10.84.0.2/32
  latest handshake: 1 hour, 32 minutes, 20 seconds ago
  transfer: 1.64 MiB received, 131.71 KiB sent
  persistent keepalive: every 25 seconds

nano /etc/sysctl.conf

Uncomment the next line to enable packet forwarding for IPv4

net.ipv4.ip_forward=1

Client

ip addr show

 wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.84.0.2/32 scope global noprefixroute wg0
       valid_lft forever preferred_lft forever
    inet6 fe80::2afd:4074:7222:d42a/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.84.0.1       0.0.0.0         UG    50     0        0 wg0
0.0.0.0         192.168.1.1     0.0.0.0         UG    600    0        0 wlp4s0
10.84.0.1       0.0.0.0         255.255.255.255 UH    50     0        0 wg0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 wlp4s0
192.168.1.0     0.0.0.0         255.255.255.0   U     600    0        0 wlp4s0

wg show

interface: wg0
  public key: 7w6acekKkI6YIKYcofEEFyTgZ4FonkxUuiTNMrDF2G0=
  private key: (hidden)
  listening port: 57753
  fwmark: 0xcb5f

peer: ZRcbHrG76JZW2plqFHDZ8e5N/LntixqUFObZnvVXciI=
  endpoint: 216.238.78.181:51820
  allowed ips: 0.0.0.0/0, ::/0
  latest handshake: 1 hour, 31 minutes, 34 seconds ago
  transfer: 124.68 KiB received, 527.21 MiB sent
  persistent keepalive: every 25 seconds

resolvectl status

Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
DNS Domain: lan

Link 2 (enp6s0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (wlp4s0)
Current Scopes: DNS
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.1.1
DNS Servers: 192.168.1.1
DNS Domain: lan

Link 75 (wg0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 8.8.8.8
DNS Servers: 8.8.8.8

Up date:

I used tcpdump on the server interface enp1s0 And of interest is: [bad udp cksum 0xc5b6 → 0x9d7e!] seems to be minor ?

Regards: peter

tcpdump -i enp1s0 port 51820 -vvv

19:53:45.394114 IP (tos 0x88, ttl 64, id 17081, offset 0, flags [none], proto UDP (17), length 176)
216.238.78.181.vultrusercontent.com.51820 > host-78-146-78-211.as13285.net.53425: [bad udp cksum 0xc5b6 → 0x9d7e!] UDP, length 148

I’ll go with the low-hanging fruit - firewall allowing UDP packets?

Hello All, update,

I have set up a new freedombox instance on vps in a different location, just to see if any different would happen with tcpdump

As good as the same:

tcpdump -i enp1s0 port 51820 -vvv
[bad udp cksum 0x24b8 → 0x632c!]

If I was to set up openvpn on this freedombox, it would be up and running. So managing udp packets is not a issue with the vps ? The client and server have handshake. So the two ends are connected but there no internet connection. The network setup look OK ?

Regards: peter

Regards: peter

Hello All and a update,

I have just used this how to - Set up WireGuard VPN on Ubuntu 20.04 I used Debian bullseye for the install just see what if, and again the same problem. Handshake but no connection. On the same VPS I have run a freedombox and openvpn, and excellent.

So a bare bones setup for wireguard - Set up WireGuard VPN on Ubuntu 20.04 - as the same problem as freedombox and wireguard. Handshake but not connection.

? Strange

Regards: peter

Hello All,

I think I got wireguard working with the bare bones setup ? The two things that are different this time. Is I have not used GUI “nm-connection-editor” to setup the wireguard connection info.
I used instead the text file method:

sudo nano /etc/wireguard/wg-client.conf

A copy and paste and tweaked it to my setup.
The second thing that different is the network specs.
Freedombox 10.84.0.0
Bare bones 172.26.5.67

I can now ping the wireguard server from the client wireguard and the other way round.
ping 172.26.3.155 # server ip

I will setup freedombox again but this time I use the text file method to setup the wireguade client.

Now the wireguard is Perfect:

With the new install of freedombox I used the text file method for setting up the client.

Perfect and Many Thanks to the Freedombox People.